topic How to compare all time average of a field value vs average for specified time range in Splunk Search

How to compare all time average of a field value vs average for specified time range

christopheryu — Tue, 29 Sep 2020 16:31:21 GMT

Trying to combine in a single table the all time average of a field value (data feed start is 10/19) vs its average from a time picked range:

I am getting the below result but would like to combine rows (tried to MVDEDUP interfaces but did not work). Also, would like to add another column for difference.

Thank you in advance!

Re: How to compare all time average of a field value vs average for specified time range

DalJeanis — Mon, 30 Oct 2017 22:25:05 GMT

Do it at the same time. Much more efficient.

 my search
| eval period_average =case(  test that  _time is in the period you want, rpm_average) 
| stats avg(rpm_average) as ALLTIME_AVG, avg(period_average) as TIMEPICKED_AVG by interfaces

FYI, If there were a reason not to do the above, you could just do this at the end...

| stats values(*) as * by interfaces

Re: How to compare all time average of a field value vs average for specified time range

kamlesh_vaghela — Tue, 29 Sep 2020 16:27:03 GMT

Just add into your search.

YOUR_SEARCH | stats values(ALLTIME_AVG ) as ALLTIME_AVG values(TIMEPICKED_AVG) as TIMEPICKED_AVG by interfaces

Re: How to compare all time average of a field value vs average for specified time range

christopheryu — Thu, 02 Nov 2017 15:48:00 GMT

thank you.

Re: How to compare all time average of a field value vs average for specified time range

christopheryu — Thu, 02 Nov 2017 15:48:11 GMT

2nd one worked, pretty much the same as kamlesh's. Thank you.